Privacy policy for Carryroo
1. Controller
The controller responsible for processing personal data in connection with the Carryroo platform is:
- info@enmindustry.com
- Phone
- +49 241 9213 5957
- Managing Director/CEO
- Dr. Amir Kianfar
- Commercial register court
- Local Court of Aachen
- Register number
- HRB 23492
- VAT ID
- DE329957151
- Tax number
- 201/5956/4943
2. General information
Carryroo is a digital matching platform. Registered users can create handoff requests as Senders or publish real trips and accept requests as Couriers.
Carryroo provides digital functions such as registration, login, user profiles, trip publishing, trip search, internal communication, order management, payment processing through external payment providers, status tracking, ratings, support, verification and dispute handling.
Carryroo does not receive, store, transport or deliver documents or items itself.
This privacy policy explains which personal data we process, for which purposes, on which legal basis and which rights data subjects have.
3. Categories of personal data
Depending on how the platform is used, we may process the following categories of data:
- registration and account data, including name, display name, email address, password hash, phone number, language, role, account status and login/security data
- profile data, including avatar, address, date of birth, nationality, voluntary profile details, contact details, ratings and trust indicators
- verification data, including email or phone verification status, verification codes, proofs, review status and information from external verification providers
- trip data from Couriers, including departure and destination countries or cities, handoff windows, notes, handoff options and trip status
- request and order data, including Sender and Courier information, item description, weight, dimensions, price, counter offers, fees, payment status, handoff places, handoff windows, cancellation reasons and dispute status
- communication data, including message content, sender, recipient, timestamps, attachments, system messages, support communication and dispute communication
- payment and billing data, including payment status, transaction numbers, amount, currency, service fees, payout status, refund status, payment provider and tax-relevant booking information
- rating, support, complaint and dispute data
- technical data such as IP address, access time, device, browser, operating system, language settings, referrer URL, accessed pages, log files, session IDs, security events and error logs
4. Purposes of processing
We process personal data in particular for the following purposes:
- providing the Carryroo platform
- registration, login and account management
- email verification and password reset
- role management for Sender and Courier workspaces
- publishing, searching and managing trips
- creating, accepting, rejecting, changing and canceling requests
- order management and internal user communication
- payment processing, refunds and payouts through external payment providers
- support, complaint handling and dispute handling
- user verification, fraud prevention, abuse prevention and platform security
- enforcing terms, prohibited-item rules and risk notices
- ratings, trust mechanisms, quality assurance and product improvement
- technical security, system stability, legal compliance and legal claims
5. Legal bases for processing
Personal data is processed on the basis of the General Data Protection Regulation (GDPR).
5.1 Contract performance and pre-contractual measures
We process data where this is necessary to perform the platform contract with users or to take pre-contractual steps. The legal basis is Art. 6(1)(b) GDPR.
5.2 Legal obligations
We process data where this is necessary to comply with legal obligations, for example tax, commercial, accounting or official obligations. The legal basis is Art. 6(1)(c) GDPR.
5.3 Legitimate interests
We process data on the basis of legitimate interests where the interests or fundamental rights of data subjects do not override them. This includes secure platform operation, fraud prevention, abuse prevention, dispute handling, rule enforcement, protecting other users, technical error analysis, product improvement, documentation of consent and defense against claims. The legal basis is Art. 6(1)(f) GDPR.
5.4 Consent
Where we request consent, processing is based on that consent. This may include non-essential cookies, analytics or marketing tools, certain notifications, voluntary profile information, voluntary verification data or later identity checks by external providers. The legal basis is Art. 6(1)(a) GDPR.
6. Disclosure of data to other users
For requests and orders, certain data may need to be visible to the other party, for example display name, profile information, ratings, verification status, trip data, request and order data, rough item description, handoff place and time, recipient information where required, platform messages and status information.
Users may use other users' data only for the relevant order. Other use, disclosure to third parties, publication or misuse is prohibited.
7. Payment providers
Payments are processed through external payment providers. The specific provider will be added once it is finalized.
The payment provider processes payment data for payments, refunds, payouts, fraud prevention and its own legal obligations. Carryroo generally does not store complete credit card data or comparable full payment instrument data.
8. Hosting, technical providers and processors
For platform operation, we use technical providers, in particular for hosting, databases, email delivery, SMS or notification services, support systems, security and monitoring services, payment integration, analytics or error diagnosis and verification services where used.
Where providers process personal data on our behalf, we conclude data processing agreements under Art. 28 GDPR. The specific providers will be added once finalized.
9. Transfers to third countries
Personal data may be transferred outside the EU or EEA if providers are located there, use servers there or enable access from there.
In such cases, we ensure appropriate safeguards under the GDPR, such as adequacy decisions, EU standard contractual clauses, additional safeguards and contractual or technical security measures.
11. Email, SMS and notifications
We may contact users by email, SMS, in-app message or comparable channels where this is necessary for platform use.
- email verification
- login and security messages
- password reset
- order notifications
- message notifications
- payment and status information
- support and dispute messages
- important changes to platform rules
Marketing messages are sent only if there is a legal basis or consent.
12. Storage and deletion
We store personal data only for as long as necessary for the relevant purposes. The storage period depends in particular on the duration of the user account, open requests or orders, payment or dispute cases, legal retention duties, evidence interests, security and abuse prevention and limitation periods.
After the relevant periods expire, data is deleted or anonymized unless legal obligations or legitimate interests prevent this.
13. Security
We take appropriate technical and organizational measures to protect personal data against loss, misuse, unauthorized access, alteration or disclosure.
- encrypted transmission
- password hashing
- role-based access control
- access restrictions for admin and support areas
- logging of security-relevant events
- time-limited verification and reset tokens
- technical safeguards against unauthorized access
- regular review and improvement of security measures
14. Minors
The platform is not directed at children. Use by minors is permitted only if the legal requirements are met and Carryroo expressly allows such use.
Carryroo may require age proof or additional confirmations and may restrict or delete accounts if there are doubts about lawful use.
15. Automated decisions and profiling
Carryroo may use internal risk, trust and security indicators, for example based on verification status, cancellation rate, response time, dispute rate, completed orders or rule violations.
No solely automated decision with legal effect or similarly significant impact takes place unless we separately inform users and meet the legal requirements.
16. Data subject rights
Data subjects have rights under the GDPR, including access, rectification, deletion, restriction of processing, data portability, objection to certain processing, withdrawal of consent and complaint to a data protection supervisory authority.
To exercise these rights, users can contact us at:
- info@enmindustry.com
17. Right to object
Where we process personal data based on legitimate interests, data subjects may object to processing for reasons relating to their particular situation.
We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds or the processing serves legal claims.
18. Withdrawal of consent
Consent can be withdrawn at any time with effect for the future. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.
19. Right to complain to a supervisory authority
Data subjects have the right to lodge a complaint with a data protection supervisory authority. The competent authority may be the authority at the data subject's place of residence or at the controller's registered office.
20. Changes to this privacy policy
We may amend this privacy policy if our platform, data processing, providers or legal requirements change. The current version is available on the platform.